Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Two Critical RCE Bugs Patched in Drupal 7 and 8

Drupal’s advisory also included three patches for “moderately critical” bugs.

Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional “moderately critical” vulnerabilities.

“A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” according to a security bulletin posted by the United States Computer Emergency Readiness Team (US CERT).

The critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP’s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.

One of the critical vulnerabilities is tied to the “DefaultMailSystem::mail()” component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate advisory released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.

This glitch was reported by security researcher and senior web developer Damien Tournoud with Princeton University.

A second remote code execution bug, reported by Nick Booher, exists in Drupal 9’s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page – without having to navigating to the Admin Dashboard.

However, the Contextual Links module doesn’t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.

One upside is that an attacker would need certain existing permissions: “this vulnerability is mitigated by the fact that an attacker must have a role with the permission ‘access contextual links,'” Drupal said.

Drupal also acknowledged three other “moderately critical” bugs in its advisory.

The first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users’ access to use certain transitions – potentially allowing access bypass.

Another open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.

The path module allows users with the ‘administer paths’ to create pretty URLs for content – and that means that “In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,” Drupal said.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.

Finally, a “moderately critical” bug in Drupal’s redirect process allows bad actors to trick users to visiting third party websites.

According to Drupal, Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page.

“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” said Drupal.

All bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.

“Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,” the company said.

Drupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw (CVE-2018-7600) in March impacting versions 6,7, and 8 of Drupal’s CMS platform, which impacted over one million sites running Drupal.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.